Hey All,
I currently have the below props and transforms on my HF's and my IDX's
This works on dropping that extra text in the Windows events on most events but not all.
Support is telling me that putting this on the HF's will not work and that I should try to point all my UF's straight to my IDX's to achieve this. Due to networking limitations we are using HF's as we have differing network segments.
Has anyone else run into this issue or can speak to what support is telling me?
Props.conf
[WinEventLog:Security]
TRANSFORMS-shorten = shorten4624,shorten4634,shorten4648,shorten4769,shorten4771,shorten4688,shorten4625
Transforms.conf
[shorten4624]
REGEX = (?ms)(.EventCode=4624.)This event is generated when a logon session
DEST_KEY = _raw
FORMAT = $1
[shorten4634]
REGEX = (?ms)(.EventCode=4634.)This event is generated when a logon session is destroyed
DEST_KEY = _raw
FORMAT = $1
[shorten4648]
REGEX = (?ms)(.EventCode=4648.)This event is generated when a process attempts
DEST_KEY = _raw
FORMAT = $1
[shorten4769]
REGEX = (?ms)(.EventCode=4769.)This event is generated every time access is requested to a resource
DEST_KEY = _raw
FORMAT = $1
[shorten4771]
REGEX = (?ms)(.EventCode=4771.)Certificate information is only provided
DEST_KEY = _raw
FORMAT = $1
[shorten4688]
REGEX = (?ms)(.EventCode=4688.)Token Elevation Type indicates the type of token that was assigned to the new process
DEST_KEY = _raw
FORMAT = $1
[shorten4625]
REGEX = (?ms)(.EventCode=4625.)This event is generated when a logon request fails
DEST_KEY = _raw
FORMAT = $1
... View more